Apps Have Been Leaking "Golden Nuggets" of Personal Info to the NSAS

The Guardian has obtained top secret documents from Edward Snowden that show that both the NSA and GCHQ (its UK equivalent) have been developing the ability to siphon personal information from "leaky" smartphone apps such as Google Maps and Angry Birds. In one document, the agency lays out the "perfect scenario" of the type of info it can obtain when a photo taken with a smartphone is uploaded to a social media site.

Yes, your selfie habit comes with a price.

The classified documents show that data from the latest generation of iPhone and Android apps isn't limited to age, gender, and location. According to the Guardian, the agency might even be able to figure out if you're a swinger:

One slide from a May 2010 NSA presentation on getting data from smartphones – breathlessly titled "Golden Nugget!" – sets out the agency's "perfect scenario": "Target uploading photo to a social media site taken with a mobile device. What can we get?"

The question is answered in the notes to the slide: from that event alone, the agency said it could obtain a "possible image", email selector, phone, buddy lists, and "a host of other social working data as well as location".

In practice, most major social media sites, such as Facebook and Twitter, strip photos of identifying location metadata (known as EXIF data) before publication. However, depending on when this is done during upload, such data may still, briefly, be available for collection by the agencies as it travels across the networks.

Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, martial status – options included "single", "married", "divorced", "swinger" and more – income, ethnicity, sexual orientation, education level, and number of children.

It's all part of the NSA's dragnet approach. Rather than hack into one person's handset, the agency uses mass surveillance tools, "such as cable taps, or from international mobile networks," to "collect large quantities of mobile phone data," from apps. And the more obsessed you get with the computer in your pocket, the more data the NSA gets.

The agencies also made use of their mobile interception capabilities to collect location information in bulk, from Google and other mapping apps. One basic effort by GCHQ and the NSA was to build a database geolocating every mobile phone mast in the world – meaning that just by taking tower ID from a handset, location information could be gleaned.

A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.

So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

App developers or the companies that deliver an app's advertisements decide what information is generated. The Guardian says potentially sensitive details "would likely qualify as content, rather than metadata."

President Obama's recent speech about reforming the NSA focused on the collection of metadata and did not mention the information collected from smartphone apps. As with other recent revelations, the NSA says its not using its spy tools on Americans, but rather "valid foreign intelligence targets".

Just like the shadowy data brokers that sell information you put on Facebook to marketers, here the middlemen are the ad platforms:

One mobile ad platform, Millennial Media, appeared to offer particularly rich information. Millennial Media's website states it has partnered with Rovio on a special edition of Angry Birds; with Farmville maker Zynga; with Call of Duty developer Activision, and many other major franchises.

The agencies try to target "weak spots" in the communications infrastructure:

Another slide details weak spots in where data flows from mobile phone network providers to the wider internet, where the agency attempts to intercept communications. These are locations either within a particular network, or international roaming exchanges (known as GRXs), where data from travellers roaming outside their home country is routed.

In a 2010 presentation about the spy agencies big plans for mobile phone interception, GCHQ named their tech tools after various Smurfs:

GCHQ's targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone's microphone 'hot', to listen in to conversations, is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf", power management – an ability to stealthily activate an a phone that is apparently turned off – is "Dreamy Smurf", while the spyware's self-hiding capabilities are codenamed "Paranoid Smurf".

To the spy agencies, your privacy looks like dopey old cartoon.

To contact the author of this post, please email nitasha@gawker.com.

[Image via Getty]